Authenticating to SUSE CaaS Platform Using External LDAP
External Authentication: Secure and Simpler
Most of us access multiple systems and applications in the average day. For DevOps or systems management staff, the number may run into the dozens. (If every username and password was a key on a physical keychain, some of us wouldn’t even be able to stand up!) You can use a password manager to help with the tangle. But an approach that many organizations use to simplify the authentication experience is external authentication from sources such as directories and social networks. Organizations can consolidate proof of users’ identity in a smaller number of sources, making passwords and other security tools easier to manage.
Now SUSE CaaS Platform can help simplify the authentication experience. We have just released an update to version 3 that lets administrators configure LDAP integration to use corporate credentials to log into Kubernetes and Velum.
External LDAP authentication is the first of a series of protocols we intend to support in SUSE CaaS Platform in the near future. We plan to add OIDC and SAML support as well.
Use of external authentication is a necessary step on the road to single sign-on (SSO) for SUSE CaaS Platform.
Use the standard maintenance update procedure to add this feature.
How It’s Done
We’ve added new a Settings section for EXTERNAL AUTHENTICATION, with an LDAP Connectors option. In this form, you need to identify the LDAP host and port number, whether the system should use STARTTLS instead of a TLS-specific port, and the certificate of the root CA that issued the server’s certificate. Next, you specify the user credentials used to bind to the LDAP server. (If anonymous bind is enabled with sufficient permissions to issue the query, you can choose that option). Then you specify user and/or group search fields and attribute maps.
We have tested the LDAP integration feature against OpenLDAP, as well as Microsoft Active Directory. We expect it to be compatible with other LDAP-compliant directory servers as well.
See https://www.suse.com/documentation/suse-caasp-3/book_caasp_admin/data/sec_admin_security_external_ldap.html for updated SUSE CaaS Platform 3 documentation with the steps required to implement external LDAP authentication and the forms and parameters.
Extending authentication choices through enterprise and other external sources is the latest example of our dedication to simplification and integration in the enterprise Kubernetes world. If you are running SUSE CaaS Platform 3, update your systems to take advantage of this capability. LDAP integration is also another great reason to migrate to version 3 if you’re running an earlier version. And if you are running another container platform, or are considering modernizing your application environment by moving to containerized workloads, this is another great reason to learn more or to start a free trial.